@enbox/dwn-sdk-js 0.0.6 → 0.0.8

package/dist/esm/src/core/protocol-authorization.js

@@ -1,236 +1,181 @@
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __rest = (this && this.__rest) || function (s, e) {
-    var t = {};
-    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
-        t[p] = s[p];
-    if (s != null && typeof Object.getOwnPropertySymbols === "function")
-        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
-            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
-                t[p[i]] = s[p[i]];
-        }
-    return t;
-};
-import Ajv from 'ajv/dist/2020.js';
-import { FilterUtility } from '../utils/filter.js';
-import { PermissionsProtocol } from '../protocols/permissions.js';
-import { Records } from '../utils/records.js';
-import { RecordsWrite } from '../interfaces/records-write.js';
+import { getRuleSetAtPath } from '../utils/protocols.js';
 import { SortDirection } from '../types/query-types.js';
 import { DwnError, DwnErrorCode } from './dwn-error.js';
 import { DwnInterfaceName, DwnMethodName } from '../enums/dwn-interface-method.js';
-import { getRuleSetAtPath, isCrossProtocolRef, parseCrossProtocolRef } from '../utils/protocols.js';
-import { ProtocolAction, ProtocolActor } from '../types/protocols-types.js';
+import { authorizeAgainstAllowedActions, verifyInvokedRole } from './protocol-authorization-action.js';
+import { constructRecordChain, fetchInitialWrite, getGoverningTimestamp } from './record-chain.js';
+import { verifyAsRoleRecordIfNeeded, verifyImmutability, verifyProtocolPathAndContextId, verifyRecordLimit, verifySizeLimit, verifyTagsIfNeeded, verifyTypeWithComposition, } from './protocol-authorization-validation.js';
 export class ProtocolAuthorization {
     /**
      * Performs validation on the structure of RecordsWrite messages that use a protocol.
      * @throws {Error} if validation fails.
      */
-    static validateReferentialIntegrity(tenant, incomingMessage, messageStore) {
-        return __awaiter(this, void 0, void 0, function* () {
-            // Determine the governing timestamp for protocol definition lookup.
-            // For an initial write, this is the message's own timestamp.
-            // For an update, this is the initial write's timestamp (the protocol version is locked at creation time).
-            const governingTimestamp = yield ProtocolAuthorization.getGoverningTimestamp(tenant, incomingMessage, messageStore);
-            // fetch the protocol definition that was active at the governing timestamp
-            const protocolDefinition = yield ProtocolAuthorization.fetchProtocolDefinition(tenant, incomingMessage.message.descriptor.protocol, messageStore, governingTimestamp);
-            // verify declared protocol type exists in protocol and that it conforms to type specification.
-            // For cross-protocol composition, the type may be defined in a referenced protocol.
-            yield ProtocolAuthorization.verifyTypeWithComposition(tenant, incomingMessage.message, protocolDefinition, messageStore, governingTimestamp);
-            // validate `protocolPath`
-            yield ProtocolAuthorization.verifyProtocolPathAndContextId(tenant, incomingMessage, messageStore, governingTimestamp);
-            // get the rule set for the inbound message
-            const ruleSet = ProtocolAuthorization.getRuleSet(incomingMessage.message.descriptor.protocolPath, protocolDefinition);
-            // Validate as a role record if the incoming message is writing a role record
-            yield ProtocolAuthorization.verifyAsRoleRecordIfNeeded(tenant, incomingMessage, ruleSet, messageStore);
-            // Verify size limit
-            ProtocolAuthorization.verifySizeLimit(incomingMessage, ruleSet);
-            // Verify protocol tags
-            ProtocolAuthorization.verifyTagsIfNeeded(incomingMessage, ruleSet);
-        });
+    static async validateReferentialIntegrity(tenant, incomingMessage, messageStore, coreProtocols) {
+        // Determine the governing timestamp for protocol definition lookup.
+        // For an initial write, this is the message's own timestamp.
+        // For an update, this is the initial write's timestamp (the protocol version is locked at creation time).
+        const governingTimestamp = await getGoverningTimestamp(tenant, incomingMessage, messageStore);
+        // fetch the protocol definition that was active at the governing timestamp
+        const protocolDefinition = await ProtocolAuthorization.fetchProtocolDefinition(tenant, incomingMessage.message.descriptor.protocol, messageStore, governingTimestamp, coreProtocols);
+        // Create a bound fetch function that captures the registry for downstream callbacks.
+        const boundFetchDefinition = ProtocolAuthorization.createBoundFetchDefinition(coreProtocols);
+        // verify declared protocol type exists in protocol and that it conforms to type specification.
+        // For cross-protocol composition, the type may be defined in a referenced protocol.
+        await verifyTypeWithComposition(tenant, incomingMessage.message, protocolDefinition, messageStore, boundFetchDefinition, governingTimestamp);
+        // validate `protocolPath`
+        await verifyProtocolPathAndContextId(tenant, incomingMessage, messageStore, boundFetchDefinition, governingTimestamp);
+        // get the rule set for the inbound message
+        const ruleSet = ProtocolAuthorization.getRuleSet(incomingMessage.message.descriptor.protocolPath, protocolDefinition);
+        // Validate as a role record if the incoming message is writing a role record
+        await verifyAsRoleRecordIfNeeded(tenant, incomingMessage, ruleSet, messageStore);
+        // Verify size limit
+        verifySizeLimit(incomingMessage, ruleSet);
+        // Verify protocol tags
+        verifyTagsIfNeeded(incomingMessage, ruleSet);
+        // Verify immutability — reject updates to write-once records
+        await verifyImmutability(incomingMessage, ruleSet);
+        // Verify record count limit
+        await verifyRecordLimit(tenant, incomingMessage, ruleSet, messageStore);
     }
     /**
      * Performs protocol-based authorization against the incoming RecordsWrite message.
      * @throws {Error} if authorization fails.
      */
-    static authorizeWrite(tenant, incomingMessage, messageStore) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const existingInitialWrite = yield ProtocolAuthorization.fetchInitialWrite(tenant, incomingMessage.message.recordId, messageStore);
-            let recordChain;
-            if (existingInitialWrite === undefined) {
-                // NOTE: we can assume this message is an initial write because an existing initial write does not exist.
-                // Additionally, we check further down in the `RecordsWriteHandler` if the incoming message is an initialWrite,
-                // so we don't check explicitly here to avoid an unnecessary duplicate check.
-                recordChain = yield ProtocolAuthorization.constructRecordChain(tenant, incomingMessage.message.descriptor.parentId, messageStore);
-            }
-            else {
-                recordChain = yield ProtocolAuthorization.constructRecordChain(tenant, incomingMessage.message.recordId, messageStore);
-            }
-            // Determine the governing timestamp for protocol definition lookup.
-            const governingTimestamp = yield ProtocolAuthorization.getGoverningTimestamp(tenant, incomingMessage, messageStore);
-            // fetch the protocol definition that was active at the governing timestamp
-            const protocolDefinition = yield ProtocolAuthorization.fetchProtocolDefinition(tenant, incomingMessage.message.descriptor.protocol, messageStore, governingTimestamp);
-            // get the rule set for the inbound message
-            const ruleSet = ProtocolAuthorization.getRuleSet(incomingMessage.message.descriptor.protocolPath, protocolDefinition);
-            // If the incoming message has `protocolRole` in the descriptor, validate the invoked role
-            yield ProtocolAuthorization.verifyInvokedRole(tenant, incomingMessage, incomingMessage.message.descriptor.protocol, incomingMessage.message.contextId, protocolDefinition, messageStore, governingTimestamp);
-            // verify method invoked against the allowed actions in the rule set
-            yield ProtocolAuthorization.authorizeAgainstAllowedActions(tenant, incomingMessage, ruleSet, recordChain, messageStore, protocolDefinition);
-        });
+    static async authorizeWrite(tenant, incomingMessage, messageStore, coreProtocols) {
+        const existingInitialWrite = await fetchInitialWrite(tenant, incomingMessage.message.recordId, messageStore);
+        let recordChain;
+        if (existingInitialWrite === undefined) {
+            // NOTE: we can assume this message is an initial write because an existing initial write does not exist.
+            // Additionally, we check further down in the `RecordsWriteHandler` if the incoming message is an initialWrite,
+            // so we don't check explicitly here to avoid an unnecessary duplicate check.
+            recordChain = await constructRecordChain(tenant, incomingMessage.message.descriptor.parentId, messageStore);
+        }
+        else {
+            recordChain = await constructRecordChain(tenant, incomingMessage.message.recordId, messageStore);
+        }
+        // Determine the governing timestamp for protocol definition lookup.
+        const governingTimestamp = await getGoverningTimestamp(tenant, incomingMessage, messageStore);
+        // fetch the protocol definition that was active at the governing timestamp
+        const protocolDefinition = await ProtocolAuthorization.fetchProtocolDefinition(tenant, incomingMessage.message.descriptor.protocol, messageStore, governingTimestamp, coreProtocols);
+        // get the rule set for the inbound message
+        const ruleSet = ProtocolAuthorization.getRuleSet(incomingMessage.message.descriptor.protocolPath, protocolDefinition);
+        const boundFetchDefinition = ProtocolAuthorization.createBoundFetchDefinition(coreProtocols);
+        // If the incoming message has `protocolRole` in the descriptor, validate the invoked role
+        await verifyInvokedRole(tenant, incomingMessage, incomingMessage.message.descriptor.protocol, incomingMessage.message.contextId, protocolDefinition, messageStore, boundFetchDefinition, governingTimestamp);
+        // verify method invoked against the allowed actions in the rule set
+        await authorizeAgainstAllowedActions(tenant, incomingMessage, ruleSet, recordChain, messageStore, protocolDefinition);
     }
     /**
      * Performs protocol-based authorization against the incoming `RecordsRead` message.
      * @param newestRecordsWrite The latest RecordsWrite associated with the recordId being read.
      * @throws {Error} if authorization fails.
      */
-    static authorizeRead(tenant, incomingMessage, newestRecordsWrite, messageStore) {
-        return __awaiter(this, void 0, void 0, function* () {
-            // fetch record chain
-            const recordChain = yield ProtocolAuthorization.constructRecordChain(tenant, newestRecordsWrite.message.recordId, messageStore);
-            // Use the initial write's timestamp to determine the governing protocol definition.
-            // The protocol version is locked at the time the record was first created.
-            const initialWrite = yield ProtocolAuthorization.fetchInitialWrite(tenant, newestRecordsWrite.message.recordId, messageStore);
-            const governingTimestamp = initialWrite !== undefined
-                ? initialWrite.descriptor.messageTimestamp
-                : newestRecordsWrite.message.descriptor.messageTimestamp;
-            // fetch the protocol definition that was active when the record was created
-            const protocolDefinition = yield ProtocolAuthorization.fetchProtocolDefinition(tenant, newestRecordsWrite.message.descriptor.protocol, messageStore, governingTimestamp);
-            // get the rule set for the inbound message
-            const ruleSet = ProtocolAuthorization.getRuleSet(newestRecordsWrite.message.descriptor.protocolPath, protocolDefinition);
-            // If the incoming message has `protocolRole` in the descriptor, validate the invoked role
-            yield ProtocolAuthorization.verifyInvokedRole(tenant, incomingMessage, newestRecordsWrite.message.descriptor.protocol, newestRecordsWrite.message.contextId, protocolDefinition, messageStore, governingTimestamp);
-            // verify method invoked against the allowed actions in the rule set
-            yield ProtocolAuthorization.authorizeAgainstAllowedActions(tenant, incomingMessage, ruleSet, recordChain, messageStore, protocolDefinition);
-        });
-    }
-    static authorizeQueryOrSubscribe(tenant, incomingMessage, messageStore) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const { protocol, protocolPath, contextId } = incomingMessage.message.descriptor.filter;
-            // fetch the protocol definition
-            const protocolDefinition = yield ProtocolAuthorization.fetchProtocolDefinition(tenant, protocol, // `authorizeQueryOrSubscribe` is only called if `protocol` is present
-            messageStore);
-            // get the rule set for the inbound message
-            const ruleSet = ProtocolAuthorization.getRuleSet(protocolPath, // presence of `protocolPath` is verified in `parse()`
-            protocolDefinition);
-            // If the incoming message has `protocolRole` in the descriptor, validate the invoked role
-            yield ProtocolAuthorization.verifyInvokedRole(tenant, incomingMessage, protocol, contextId, protocolDefinition, messageStore);
-            // verify method invoked against the allowed actions in the rule set
-            yield ProtocolAuthorization.authorizeAgainstAllowedActions(tenant, incomingMessage, ruleSet, [], // record chain is not relevant to queries or subscriptions
-            messageStore, protocolDefinition);
-        });
+    static async authorizeRead(tenant, incomingMessage, newestRecordsWrite, messageStore, coreProtocols) {
+        // fetch record chain
+        const recordChain = await constructRecordChain(tenant, newestRecordsWrite.message.recordId, messageStore);
+        // Use the initial write's timestamp to determine the governing protocol definition.
+        // The protocol version is locked at the time the record was first created.
+        const initialWrite = await fetchInitialWrite(tenant, newestRecordsWrite.message.recordId, messageStore);
+        const governingTimestamp = initialWrite !== undefined
+            ? initialWrite.descriptor.messageTimestamp
+            : newestRecordsWrite.message.descriptor.messageTimestamp;
+        // fetch the protocol definition that was active when the record was created
+        const protocolDefinition = await ProtocolAuthorization.fetchProtocolDefinition(tenant, newestRecordsWrite.message.descriptor.protocol, messageStore, governingTimestamp, coreProtocols);
+        // get the rule set for the inbound message
+        const ruleSet = ProtocolAuthorization.getRuleSet(newestRecordsWrite.message.descriptor.protocolPath, protocolDefinition);
+        const boundFetchDefinition = ProtocolAuthorization.createBoundFetchDefinition(coreProtocols);
+        // If the incoming message has `protocolRole` in the descriptor, validate the invoked role
+        await verifyInvokedRole(tenant, incomingMessage, newestRecordsWrite.message.descriptor.protocol, newestRecordsWrite.message.contextId, protocolDefinition, messageStore, boundFetchDefinition, governingTimestamp);
+        // verify method invoked against the allowed actions in the rule set
+        await authorizeAgainstAllowedActions(tenant, incomingMessage, ruleSet, recordChain, messageStore, protocolDefinition);
+    }
+    static async authorizeQueryOrSubscribe(tenant, incomingMessage, messageStore, coreProtocols) {
+        const { protocol, protocolPath, contextId } = incomingMessage.message.descriptor.filter;
+        // fetch the protocol definition
+        const protocolDefinition = await ProtocolAuthorization.fetchProtocolDefinition(tenant, protocol, // `authorizeQueryOrSubscribe` is only called if `protocol` is present
+        messageStore, undefined, coreProtocols);
+        // get the rule set for the inbound message
+        const ruleSet = ProtocolAuthorization.getRuleSet(protocolPath, // presence of `protocolPath` is verified in `parse()`
+        protocolDefinition);
+        const boundFetchDefinition = ProtocolAuthorization.createBoundFetchDefinition(coreProtocols);
+        // If the incoming message has `protocolRole` in the descriptor, validate the invoked role
+        await verifyInvokedRole(tenant, incomingMessage, protocol, contextId, protocolDefinition, messageStore, boundFetchDefinition);
+        // verify method invoked against the allowed actions in the rule set
+        await authorizeAgainstAllowedActions(tenant, incomingMessage, ruleSet, [], // record chain is not relevant to queries or subscriptions
+        messageStore, protocolDefinition);
     }
     /**
      * Performs protocol-based authorization against the incoming `RecordsDelete` message.
      * @param recordsWrite A `RecordsWrite` of the record being deleted.
      */
-    static authorizeDelete(tenant, incomingMessage, recordsWrite, messageStore) {
-        return __awaiter(this, void 0, void 0, function* () {
-            // fetch record chain
-            const recordChain = yield ProtocolAuthorization.constructRecordChain(tenant, incomingMessage.message.descriptor.recordId, messageStore);
-            // Use the initial write's timestamp to determine the governing protocol definition.
-            const initialWrite = yield ProtocolAuthorization.fetchInitialWrite(tenant, incomingMessage.message.descriptor.recordId, messageStore);
-            const governingTimestamp = initialWrite !== undefined
-                ? initialWrite.descriptor.messageTimestamp
-                : recordsWrite.message.descriptor.messageTimestamp;
-            // fetch the protocol definition that was active when the record was created
-            const protocolDefinition = yield ProtocolAuthorization.fetchProtocolDefinition(tenant, recordsWrite.message.descriptor.protocol, messageStore, governingTimestamp);
-            // get the rule set for the inbound message
-            const ruleSet = ProtocolAuthorization.getRuleSet(recordsWrite.message.descriptor.protocolPath, protocolDefinition);
-            // If the incoming message has `protocolRole` in the descriptor, validate the invoked role
-            yield ProtocolAuthorization.verifyInvokedRole(tenant, incomingMessage, recordsWrite.message.descriptor.protocol, recordsWrite.message.contextId, protocolDefinition, messageStore, governingTimestamp);
-            // verify method invoked against the allowed actions in the rule set
-            yield ProtocolAuthorization.authorizeAgainstAllowedActions(tenant, incomingMessage, ruleSet, recordChain, messageStore, protocolDefinition);
-        });
+    static async authorizeDelete(tenant, incomingMessage, recordsWrite, messageStore, coreProtocols) {
+        // fetch record chain
+        const recordChain = await constructRecordChain(tenant, incomingMessage.message.descriptor.recordId, messageStore);
+        // Use the initial write's timestamp to determine the governing protocol definition.
+        const initialWrite = await fetchInitialWrite(tenant, incomingMessage.message.descriptor.recordId, messageStore);
+        const governingTimestamp = initialWrite !== undefined
+            ? initialWrite.descriptor.messageTimestamp
+            : recordsWrite.message.descriptor.messageTimestamp;
+        // fetch the protocol definition that was active when the record was created
+        const protocolDefinition = await ProtocolAuthorization.fetchProtocolDefinition(tenant, recordsWrite.message.descriptor.protocol, messageStore, governingTimestamp, coreProtocols);
+        // get the rule set for the inbound message
+        const ruleSet = ProtocolAuthorization.getRuleSet(recordsWrite.message.descriptor.protocolPath, protocolDefinition);
+        const boundFetchDefinition = ProtocolAuthorization.createBoundFetchDefinition(coreProtocols);
+        // If the incoming message has `protocolRole` in the descriptor, validate the invoked role
+        await verifyInvokedRole(tenant, incomingMessage, recordsWrite.message.descriptor.protocol, recordsWrite.message.contextId, protocolDefinition, messageStore, boundFetchDefinition, governingTimestamp);
+        // verify method invoked against the allowed actions in the rule set
+        await authorizeAgainstAllowedActions(tenant, incomingMessage, ruleSet, recordChain, messageStore, protocolDefinition);
     }
     /**
      * Fetches the protocol definition based on the protocol specified in the given message.
      * When `messageTimestamp` is provided, returns the protocol definition that was active at that
      * point in time — i.e. the ProtocolsConfigure with the greatest `messageTimestamp` that is <= the
      * given timestamp. When not provided, returns the latest (current) protocol definition.
-     */
-    static fetchProtocolDefinition(tenant, protocolUri, messageStore, messageTimestamp) {
-        return __awaiter(this, void 0, void 0, function* () {
-            // if first-class protocol, return the definition from const object directly without going to data store
-            if (protocolUri === PermissionsProtocol.uri) {
-                return PermissionsProtocol.definition;
-            }
-            // fetch the corresponding protocol definition
-            const query = {
-                interface: DwnInterfaceName.Protocols,
-                method: DwnMethodName.Configure,
-                protocol: protocolUri,
-            };
-            if (messageTimestamp !== undefined) {
-                // temporal lookup: find the protocol definition active at the given timestamp
-                query.messageTimestamp = { lte: messageTimestamp };
-            }
-            else {
-                // default: return only the latest protocol definition
-                query.isLatestBaseState = true;
-            }
-            const { messages: protocols } = yield messageStore.query(tenant, [query], { messageTimestamp: SortDirection.Descending }, { limit: 1 });
-            if (protocols.length === 0) {
-                throw new DwnError(DwnErrorCode.ProtocolAuthorizationProtocolNotFound, `unable to find protocol definition for ${protocolUri}`);
-            }
-            const protocolMessage = protocols[0];
-            return protocolMessage.descriptor.definition;
-        });
-    }
-    /**
-     * Constructs the chain of EXISTING records in the datastore where the first record is the root initial `RecordsWrite` of the record chain
-     * and last record is the initial `RecordsWrite` of the descendant record specified.
-     * @param descendantRecordId The ID of the descendent record to start constructing the record chain from by repeatedly looking up the parent.
-     * @returns the record chain where each record is represented by its initial `RecordsWrite`;
-     *          returns empty array if `descendantRecordId` is `undefined`.
-     * @throws {DwnError} if `descendantRecordId` is defined but any initial `RecordsWrite` is not found in the chain of records.
-     */
-    static constructRecordChain(tenant, descendantRecordId, messageStore) {
-        return __awaiter(this, void 0, void 0, function* () {
-            if (descendantRecordId === undefined) {
-                return [];
-            }
-            const recordChain = [];
-            // keep walking up the chain from the inbound message's parent, until there is no more parent
-            let currentRecordId = descendantRecordId;
-            while (currentRecordId !== undefined) {
-                const initialWrite = yield ProtocolAuthorization.fetchInitialWrite(tenant, currentRecordId, messageStore);
-                // RecordsWrite needed should be available since we perform necessary checks at the time of writes,
-                // eg. check the immediate parent in `verifyProtocolPathAndContextId` at the time of writing,
-                // so if this condition is triggered, it means there is an unexpected bug that caused an incomplete chain.
-                // We add additional defensive check here because returning an unexpected/incorrect record chain could lead to security vulnerabilities.
-                if (initialWrite === undefined) {
-                    throw new DwnError(DwnErrorCode.ProtocolAuthorizationParentNotFoundConstructingRecordChain, `Unexpected error that should never trigger: no parent found with ID ${currentRecordId} when constructing record chain.`);
-                }
-                recordChain.push(initialWrite);
-                currentRecordId = initialWrite.descriptor.parentId;
+     *
+     * When `coreProtocols` is provided, core protocol definitions are returned directly from the
+     * registry without a message store query. The extra parameter does not affect the
+     * `FetchProtocolDefinitionFn` callback type — callers that pass this function as a callback
+     * should bind the registry via a closure (see `createBoundFetchDefinition`).
+     */
+    static async fetchProtocolDefinition(tenant, protocolUri, messageStore, messageTimestamp, coreProtocols) {
+        // if the protocol is a registered core protocol, return the definition directly without a store query
+        if (coreProtocols !== undefined) {
+            const coreDefinition = coreProtocols.getDefinition(protocolUri);
+            if (coreDefinition !== undefined) {
+                return coreDefinition;
             }
-            return recordChain.reverse(); // root record first
-        });
+        }
+        // fetch the corresponding protocol definition
+        const query = {
+            interface: DwnInterfaceName.Protocols,
+            method: DwnMethodName.Configure,
+            protocol: protocolUri,
+        };
+        if (messageTimestamp !== undefined) {
+            // temporal lookup: find the protocol definition active at the given timestamp
+            query.messageTimestamp = { lte: messageTimestamp };
+        }
+        else {
+            // default: return only the latest protocol definition
+            query.isLatestBaseState = true;
+        }
+        const { messages: protocols } = await messageStore.query(tenant, [query], { messageTimestamp: SortDirection.Descending }, { limit: 1 });
+        if (protocols.length === 0) {
+            throw new DwnError(DwnErrorCode.ProtocolAuthorizationProtocolNotFound, `unable to find protocol definition for ${protocolUri}`);
+        }
+        const protocolMessage = protocols[0];
+        return protocolMessage.descriptor.definition;
     }
     /**
-     * Fetches the initial RecordsWrite message associated with the given (tenant + recordId).
+     * Creates a `FetchProtocolDefinitionFn` closure that binds the given `CoreProtocolRegistry`.
+     * This allows core protocol definitions to be resolved from the registry without changing
+     * the `FetchProtocolDefinitionFn` type signature — zero ripple to downstream consumers
+     * like `protocol-authorization-action.ts` and `protocol-authorization-validation.ts`.
      */
-    static fetchInitialWrite(tenant, recordId, messageStore) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const query = {
-                interface: DwnInterfaceName.Records,
-                method: DwnMethodName.Write,
-                recordId: recordId
-            };
-            const { messages } = yield messageStore.query(tenant, [query]);
-            if (messages.length === 0) {
-                return undefined;
-            }
-            const initialWrite = yield RecordsWrite.getInitialWrite(messages);
-            return initialWrite;
-        });
+    static createBoundFetchDefinition(coreProtocols) {
+        return (tenant, protocolUri, messageStore, messageTimestamp) => {
+            return ProtocolAuthorization.fetchProtocolDefinition(tenant, protocolUri, messageStore, messageTimestamp, coreProtocols);
+        };
     }
     /**
      * Gets the rule set corresponding to the given protocolPath.
@@ -242,547 +187,5 @@ export class ProtocolAuthorization {
         }
         return ruleSet;
     }
-    /**
-     * Verifies the `protocolPath` declared in the given message (if it is a RecordsWrite) matches the path of actual record chain.
-     * For cross-protocol composition, the parent record may belong to a different protocol (resolved via `$ref` in the composing protocol).
-     * @throws {DwnError} if fails verification.
-     */
-    static verifyProtocolPathAndContextId(tenant, inboundMessage, messageStore, governingTimestamp) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const declaredProtocolPath = inboundMessage.message.descriptor.protocolPath;
-            const declaredTypeName = ProtocolAuthorization.getTypeName(declaredProtocolPath);
-            const parentId = inboundMessage.message.descriptor.parentId;
-            if (parentId === undefined) {
-                if (declaredProtocolPath !== declaredTypeName) {
-                    throw new DwnError(DwnErrorCode.ProtocolAuthorizationParentlessIncorrectProtocolPath, `Declared protocol path '${declaredProtocolPath}' is not valid for records with no parent'.`);
-                }
-                return;
-            }
-            // Else `parentId` is defined, so we need to verify both protocolPath and contextId
-            // Determine the protocol URI for the parent query.
-            // If the parent path segment has a `$ref` in the composing protocol, the parent lives in a different protocol.
-            const childProtocol = inboundMessage.message.descriptor.protocol;
-            const parentProtocolUri = yield ProtocolAuthorization.resolveParentProtocolUri(tenant, childProtocol, declaredProtocolPath, messageStore, governingTimestamp);
-            // fetch the parent message
-            const query = {
-                isLatestBaseState: true, // NOTE: this filter is critical, to ensure are are not returning a deleted parent
-                interface: DwnInterfaceName.Records,
-                method: DwnMethodName.Write,
-                protocol: parentProtocolUri,
-                recordId: parentId
-            };
-            const { messages: parentMessages } = yield messageStore.query(tenant, [query]);
-            const parentMessage = parentMessages[0];
-            if (parentMessage === undefined) {
-                // if this is a cross-protocol composition lookup, use a more descriptive error
-                if (parentProtocolUri !== childProtocol) {
-                    throw new DwnError(DwnErrorCode.ProtocolAuthorizationCrossProtocolParentNotFound, `Could not find parent record '${parentId}' in protocol '${parentProtocolUri}' ` +
-                        `for cross-protocol child at path '${declaredProtocolPath}'.`);
-                }
-                throw new DwnError(DwnErrorCode.ProtocolAuthorizationIncorrectProtocolPath, `Could not find matching parent record to verify declared protocol path '${declaredProtocolPath}'.`);
-            }
-            // verifying protocolPath of incoming message is a child of the parent message's protocolPath
-            const parentProtocolPath = parentMessage.descriptor.protocolPath;
-            const expectedProtocolPath = `${parentProtocolPath}/${declaredTypeName}`;
-            if (expectedProtocolPath !== declaredProtocolPath) {
-                throw new DwnError(DwnErrorCode.ProtocolAuthorizationIncorrectProtocolPath, `Could not find matching parent record to verify declared protocol path '${declaredProtocolPath}'.`);
-            }
-            // verifying contextId of incoming message is a child of the parent message's contextId
-            const expectedContextId = `${parentMessage.contextId}/${inboundMessage.message.recordId}`;
-            const actualContextId = inboundMessage.message.contextId;
-            if (actualContextId !== expectedContextId) {
-                throw new DwnError(DwnErrorCode.ProtocolAuthorizationIncorrectContextId, `Declared contextId '${actualContextId}' is not the same as expected: '${expectedContextId}'.`);
-            }
-        });
-    }
-    /**
-     * Resolves the protocol URI that should be used when querying for the parent record.
-     * For standard (non-composed) records, this is the same as the child's protocol.
-     * For cross-protocol composition, the parent may live in a different protocol
-     * (resolved via `$ref` in the composing protocol's definition).
-     *
-     * Logic: Given a child at protocolPath `a/b/c`, the parent is at `a/b`.
-     * Walk up the composing protocol's structure from root to `a/b`.
-     * If any segment along the way has a `$ref`, the parent (and its ancestors up to the `$ref` boundary)
-     * live in the referenced protocol. Specifically, the `$ref` at the topmost ancestor tells us
-     * the parent's protocol URI.
-     */
-    static resolveParentProtocolUri(tenant, childProtocolUri, childProtocolPath, messageStore, governingTimestamp) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const segments = childProtocolPath.split('/');
-            // A root-level record (no `/` in path) has no parent or uses the same protocol
-            if (segments.length <= 1) {
-                return childProtocolUri;
-            }
-            // Fetch the composing protocol's definition at the governing timestamp
-            const composingDefinition = yield ProtocolAuthorization.fetchProtocolDefinition(tenant, childProtocolUri, messageStore, governingTimestamp);
-            // Walk the structure to find the parent's path segment
-            // The parent's position in the structure is at segments[0..n-2]
-            // We check if the first segment has a `$ref`, which means the parent is in a different protocol
-            const firstSegmentRuleSet = composingDefinition.structure[segments[0]];
-            if ((firstSegmentRuleSet === null || firstSegmentRuleSet === void 0 ? void 0 : firstSegmentRuleSet.$ref) !== undefined) {
-                const parsed = parseCrossProtocolRef(firstSegmentRuleSet.$ref);
-                if (parsed !== undefined && composingDefinition.uses !== undefined) {
-                    const resolvedUri = composingDefinition.uses[parsed.alias];
-                    if (resolvedUri !== undefined) {
-                        // The parent path is within the `$ref` boundary — check if the parent IS the `$ref` node
-                        // or is a descendant of it (which would still be in the composing protocol).
-                        // If segments.length === 2, parent is at segments[0] which IS the $ref node → parent's protocol is the referenced one.
-                        // If segments.length > 2, parent is at segments[0..n-2]. If segments[0] is $ref, the parent could be:
-                        //   - Still the $ref node itself (segments.length === 2) → referenced protocol
-                        //   - A child of the $ref node defined in the composing protocol (segments.length > 2) → composing protocol
-                        if (segments.length === 2) {
-                            // Parent is the $ref node itself (e.g., child is "thread/comment", parent is "thread")
-                            return resolvedUri;
-                        }
-                        // else: parent is a deeper child defined in the composing protocol
-                        return childProtocolUri;
-                    }
-                }
-            }
-            return childProtocolUri;
-        });
-    }
-    /**
-     * Verifies the `dataFormat` and `schema` declared in the given message matches the type in the protocol.
-     * For cross-protocol composition, if the type is at a `$ref` position in the structure,
-     * the type definition is looked up in the referenced protocol's `types` map instead.
-     */
-    static verifyTypeWithComposition(tenant, inboundMessage, protocolDefinition, messageStore, governingTimestamp) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const declaredProtocolPath = inboundMessage.descriptor.protocolPath;
-            const declaredTypeName = ProtocolAuthorization.getTypeName(declaredProtocolPath);
-            // Resolve which protocol types map to use.
-            // If the first path segment has `$ref`, this record's type might be defined in a referenced protocol.
-            const protocolTypes = yield ProtocolAuthorization.resolveProtocolTypesForPath(tenant, declaredProtocolPath, protocolDefinition, messageStore, governingTimestamp);
-            ProtocolAuthorization.verifyType(inboundMessage, protocolTypes, declaredTypeName);
-        });
-    }
-    /**
-     * Resolves the `ProtocolTypes` map that contains the type definition for the given protocol path.
-     * For non-composed records, this is the protocol definition's own `types` map.
-     * For records at a `$ref` position, this is the referenced protocol's `types` map.
-     */
-    static resolveProtocolTypesForPath(tenant, protocolPath, protocolDefinition, messageStore, governingTimestamp) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const segments = protocolPath.split('/');
-            // Check if the first segment has a `$ref`
-            const firstSegmentRuleSet = protocolDefinition.structure[segments[0]];
-            if ((firstSegmentRuleSet === null || firstSegmentRuleSet === void 0 ? void 0 : firstSegmentRuleSet.$ref) !== undefined && segments.length === 1) {
-                // This record IS the $ref node itself — its type is defined in the referenced protocol
-                const parsed = parseCrossProtocolRef(firstSegmentRuleSet.$ref);
-                if (parsed !== undefined && protocolDefinition.uses !== undefined) {
-                    const refProtocolUri = protocolDefinition.uses[parsed.alias];
-                    if (refProtocolUri !== undefined) {
-                        const refDefinition = yield ProtocolAuthorization.fetchProtocolDefinition(tenant, refProtocolUri, messageStore, governingTimestamp);
-                        return refDefinition.types;
-                    }
-                }
-            }
-            // Default: use the composing protocol's own types
-            return protocolDefinition.types;
-        });
-    }
-    /**
-     * Verifies the `dataFormat` and `schema` declared in the given message (if it is a RecordsWrite) matches dataFormat
-     * and schema of the type in the given protocol.
-     * @throws {DwnError} if fails verification.
-     */
-    static verifyType(inboundMessage, protocolTypes, typeName) {
-        const declaredTypeName = typeName !== null && typeName !== void 0 ? typeName : ProtocolAuthorization.getTypeName(inboundMessage.descriptor.protocolPath);
-        const typeNames = Object.keys(protocolTypes);
-        if (!typeNames.includes(declaredTypeName)) {
-            throw new DwnError(DwnErrorCode.ProtocolAuthorizationInvalidType, `record with type ${declaredTypeName} not allowed in protocol`);
-        }
-        const protocolType = protocolTypes[declaredTypeName];
-        // no `schema` specified in protocol definition means that any schema is allowed
-        const { schema } = inboundMessage.descriptor;
-        if (protocolType.schema !== undefined && protocolType.schema !== schema) {
-            throw new DwnError(DwnErrorCode.ProtocolAuthorizationInvalidSchema, `type '${declaredTypeName}' must have schema '${protocolType.schema}', \
-        instead has '${schema}'`);
-        }
-        // no `dataFormats` specified in protocol definition means that all dataFormats are allowed
-        const { dataFormat } = inboundMessage.descriptor;
-        if (protocolType.dataFormats !== undefined && !protocolType.dataFormats.includes(dataFormat)) {
-            throw new DwnError(DwnErrorCode.ProtocolAuthorizationIncorrectDataFormat, `type '${declaredTypeName}' must have data format in (${protocolType.dataFormats}), \
-        instead has '${dataFormat}'`);
-        }
-        // enforce encryption when the protocol type requires it
-        if (protocolType.encryptionRequired === true && inboundMessage.encryption === undefined) {
-            throw new DwnError(DwnErrorCode.ProtocolAuthorizationEncryptionRequired, `type '${declaredTypeName}' requires encryption but message has no encryption metadata`);
-        }
-    }
-    /**
-     * Check if the incoming message is invoking a role. If so, validate the invoked role.
-     * For cross-protocol role invocation, the role record may live in a different protocol
-     * (resolved via the composing protocol's `uses` map).
-     */
-    static verifyInvokedRole(tenant, incomingMessage, protocolUri, contextId, protocolDefinition, messageStore, governingTimestamp) {
-        return __awaiter(this, void 0, void 0, function* () {
-            var _a;
-            const protocolRole = (_a = incomingMessage.signaturePayload) === null || _a === void 0 ? void 0 : _a.protocolRole;
-            // Only verify role if there is a role being invoked
-            if (protocolRole === undefined) {
-                return;
-            }
-            // Determine the protocol URI and protocol path for the role record.
-            // For cross-protocol roles (e.g., "threads:thread/participant"), resolve the alias.
-            let roleProtocolUri = protocolUri;
-            let roleProtocolPath = protocolRole;
-            if (isCrossProtocolRef(protocolRole)) {
-                const parsed = parseCrossProtocolRef(protocolRole);
-                if (parsed === undefined) {
-                    throw new DwnError(DwnErrorCode.ProtocolAuthorizationNotARole, `Cross-protocol role '${protocolRole}' could not be parsed as a valid 'alias:path' format.`);
-                }
-                if (protocolDefinition.uses === undefined || protocolDefinition.uses[parsed.alias] === undefined) {
-                    throw new DwnError(DwnErrorCode.ProtocolAuthorizationNotARole, `Cross-protocol role alias '${parsed.alias}' in '${protocolRole}' does not exist in the protocol's 'uses' map.`);
-                }
-                roleProtocolUri = protocolDefinition.uses[parsed.alias];
-                roleProtocolPath = parsed.protocolPath;
-                // Fetch the referenced protocol's definition to validate the role exists
-                const refDefinition = yield ProtocolAuthorization.fetchProtocolDefinition(tenant, roleProtocolUri, messageStore, governingTimestamp);
-                const roleRuleSet = getRuleSetAtPath(roleProtocolPath, refDefinition.structure);
-                if (roleRuleSet === undefined || !roleRuleSet.$role) {
-                    throw new DwnError(DwnErrorCode.ProtocolAuthorizationNotARole, `Cross-protocol role path ${protocolRole} does not match role record type.`);
-                }
-            }
-            else {
-                // Local role: validate in the composing protocol's definition
-                const roleRuleSet = getRuleSetAtPath(protocolRole, protocolDefinition.structure);
-                if (roleRuleSet === undefined || !roleRuleSet.$role) {
-                    throw new DwnError(DwnErrorCode.ProtocolAuthorizationNotARole, `Protocol path ${protocolRole} does not match role record type.`);
-                }
-            }
-            // Construct a filter to fetch the invoked role record
-            const roleRecordFilter = {
-                interface: DwnInterfaceName.Records,
-                method: DwnMethodName.Write,
-                protocol: roleProtocolUri,
-                protocolPath: roleProtocolPath,
-                recipient: incomingMessage.author,
-                isLatestBaseState: true,
-            };
-            const ancestorSegmentCountOfRolePath = roleProtocolPath.split('/').length - 1;
-            if (contextId === undefined && ancestorSegmentCountOfRolePath > 0) {
-                throw new DwnError(DwnErrorCode.ProtocolAuthorizationMissingContextId, 'Could not verify role because contextId is missing.');
-            }
-            // Compute `contextId` prefix filter for fetching the invoked role record if the role path is not at the root level.
-            // e.g. if invoked role path is `Thread/Participant`, and the `contextId` of the message is `threadX/messageY/attachmentZ`,
-            // then we need to add a prefix filter as `threadX` for the `contextId`
-            // because the `contextId` of the Participant record would be in the form of be `threadX/participantA`
-            if (ancestorSegmentCountOfRolePath > 0) {
-                const contextIdSegments = contextId.split('/'); // NOTE: currently contextId segment count is never shorter than the role path count.
-                const contextIdPrefix = contextIdSegments.slice(0, ancestorSegmentCountOfRolePath).join('/');
-                const contextIdPrefixFilter = FilterUtility.constructPrefixFilterAsRangeFilter(contextIdPrefix);
-                roleRecordFilter.contextId = contextIdPrefixFilter;
-            }
-            const { messages: matchingMessages } = yield messageStore.query(tenant, [roleRecordFilter]);
-            if (matchingMessages.length === 0) {
-                throw new DwnError(DwnErrorCode.ProtocolAuthorizationMatchingRoleRecordNotFound, `No matching role record found for protocol path ${roleProtocolPath}`);
-            }
-        });
-    }
-    /**
-     * Returns all the ProtocolActions that would authorized the incoming message
-     * (but we still need to later verify if there is a rule defined that matches one of the actions).
-     * NOTE: the reason why there could be multiple actions is because:
-     * - In case of an initial RecordsWrite, the RecordsWrite can be authorized by an allow `create` or `write` rule.
-     * - In case of a non-initial RecordsWrite by the original record author, the RecordsWrite can be authorized by a `write` or `co-update` rule.
-     *
-     * It is important to recognize that the `write` access that allowed the original record author to create the record maybe revoked
-     * (e.g. by role revocation) by the time a "non-initial" write by the same author is attempted.
-     */
-    static getActionsSeekingARuleMatch(tenant, incomingMessage, messageStore) {
-        return __awaiter(this, void 0, void 0, function* () {
-            switch (incomingMessage.message.descriptor.method) {
-                case DwnMethodName.Delete:
-                    const recordsDelete = incomingMessage;
-                    const recordId = recordsDelete.message.descriptor.recordId;
-                    const initialWrite = yield RecordsWrite.fetchInitialRecordsWrite(messageStore, tenant, recordId);
-                    // if there is no initial write, then no action rule can authorize the incoming message, because we won't know who the original author is
-                    // NOTE: purely defensive programming: currently not reachable
-                    // because RecordsDelete handler already have an existence check prior to this method being called.
-                    if (initialWrite === undefined) {
-                        return [];
-                    }
-                    const actionsThatWouldAuthorizeDelete = [];
-                    const prune = recordsDelete.message.descriptor.prune;
-                    if (prune) {
-                        actionsThatWouldAuthorizeDelete.push(ProtocolAction.CoPrune);
-                        // A prune by the original record author can also be authorized by a 'prune' rule.
-                        if (incomingMessage.author === initialWrite.author) {
-                            actionsThatWouldAuthorizeDelete.push(ProtocolAction.Prune);
-                        }
-                    }
-                    else {
-                        actionsThatWouldAuthorizeDelete.push(ProtocolAction.CoDelete);
-                        // A delete by the original record author can also be authorized by a 'delete' rule.
-                        if (incomingMessage.author === initialWrite.author) {
-                            actionsThatWouldAuthorizeDelete.push(ProtocolAction.Delete);
-                        }
-                    }
-                    return actionsThatWouldAuthorizeDelete;
-                case DwnMethodName.Count:
-                    return [ProtocolAction.Read];
-                case DwnMethodName.Query:
-                    return [ProtocolAction.Read];
-                case DwnMethodName.Read:
-                    return [ProtocolAction.Read];
-                case DwnMethodName.Subscribe:
-                    return [ProtocolAction.Read];
-                case DwnMethodName.Write:
-                    const incomingRecordsWrite = incomingMessage;
-                    if (yield incomingRecordsWrite.isInitialWrite()) {
-                        return [ProtocolAction.Create];
-                    }
-                    else {
-                        // else incoming RecordsWrite not an initial write
-                        const recordId = incomingMessage.message.recordId;
-                        const initialWrite = yield RecordsWrite.fetchInitialRecordsWrite(messageStore, tenant, recordId);
-                        // if there is no initial write to update from, then no action rule can authorize the incoming message
-                        if (initialWrite === undefined) {
-                            return [];
-                        }
-                        if (incomingMessage.author === initialWrite.author) {
-                            // 'update' or 'co-update' action authorizes the incoming message
-                            return [ProtocolAction.CoUpdate, ProtocolAction.Update];
-                        }
-                        else {
-                            // An update by someone who is not the record author can only be authorized by a 'co-update' rule.
-                            return [ProtocolAction.CoUpdate];
-                        }
-                    }
-            }
-            // purely defensive programming: should not be reachable
-            // setting to empty array will prevent any message from being authorized
-            return [];
-        });
-    }
-    /**
-     * Verifies the given message is authorized by one of the action rules in the given protocol rule set.
-     * @param protocolDefinition Optional protocol definition for resolving cross-protocol `of` and `role` references.
-     * @throws {Error} if action not allowed.
-     */
-    static authorizeAgainstAllowedActions(tenant, incomingMessage, ruleSet, recordChain, messageStore, protocolDefinition) {
-        return __awaiter(this, void 0, void 0, function* () {
-            var _a;
-            const incomingMessageMethod = incomingMessage.message.descriptor.method;
-            const actionsSeekingARuleMatch = yield ProtocolAuthorization.getActionsSeekingARuleMatch(tenant, incomingMessage, messageStore);
-            const author = incomingMessage.author;
-            const actionRules = ruleSet.$actions;
-            // NOTE: We have already checked that the message is not from tenant, owner, or permission grant authorized prior to this method being called.
-            if (actionRules === undefined) {
-                throw new DwnError(DwnErrorCode.ProtocolAuthorizationActionRulesNotFound, `no action rule defined for Records${incomingMessageMethod}, ${author} is unauthorized`);
-            }
-            const invokedRole = (_a = incomingMessage.signaturePayload) === null || _a === void 0 ? void 0 : _a.protocolRole;
-            // Iterate through the action rules to find a rule that authorizes the incoming message.
-            for (const actionRule of actionRules) {
-                // If the action rule does not have an allowed action that matches an action that can authorize the message, skip to evaluate next action rule.
-                const ruleHasAMatchingAllowedAction = actionRule.can.some(allowedAction => actionsSeekingARuleMatch.includes(allowedAction));
-                if (!ruleHasAMatchingAllowedAction) {
-                    continue;
-                }
-                // Code reaches here means this action rule has an allowed action that matches the action of the message.
-                // The remaining code checks the actor/author of the incoming message.
-                // If the action rule allows `anyone`, then no further checks are needed.
-                if (actionRule.who === ProtocolActor.Anyone) {
-                    return;
-                }
-                // Since not `anyone` is allowed in this action rule, we will need to check the author of the incoming message,
-                // if the author of incoming message is not defined, this action rule cannot authorize the incoming message.
-                if (author === undefined) {
-                    continue;
-                }
-                // go through role validation path if a role is invoked by the incoming message
-                if (invokedRole !== undefined) {
-                    // When a protocol role is being invoked, we require that there is a matching `role` rule.
-                    if (actionRule.role === invokedRole) {
-                        // role is successfully invoked
-                        return;
-                    }
-                    else {
-                        continue;
-                    }
-                }
-                // else we go through the actor (`who`) validation
-                // If `of` is not set, handle it as a special case
-                // NOTE: `of` is always set if `who` is set to `author` (we do this check in `validateRuleSetRecursively()`)
-                if (actionRule.who === ProtocolActor.Recipient && actionRule.of === undefined) {
-                    // If the action rule specifies a recipient without `of` and the incoming message is authenticated:
-                    // Author must be recipient of the record being accessed
-                    let recordsWriteMessage;
-                    if (incomingMessage.message.descriptor.method === DwnMethodName.Write) {
-                        recordsWriteMessage = incomingMessage.message;
-                    }
-                    else {
-                        // else the incoming message must be a `RecordsDelete` because only `co-update`, `co-delete`, `co-prune` are allowed recipient actions,
-                        // (we do this check in `validateRuleSetRecursively()`)
-                        // and we have already checked that the incoming message is not a `RecordsWrite` above which covers `co-update` path.
-                        recordsWriteMessage = recordChain[recordChain.length - 1];
-                    }
-                    if (recordsWriteMessage.descriptor.recipient === author) {
-                        return;
-                    }
-                    else {
-                        continue;
-                    }
-                }
-                // validate the actor is allowed by the current action rule
-                const ancestorRuleSuccess = yield ProtocolAuthorization.checkActor(author, actionRule, recordChain, protocolDefinition);
-                if (ancestorRuleSuccess) {
-                    return;
-                }
-            }
-            // No action rules were satisfied, message is not authorized
-            throw new DwnError(DwnErrorCode.ProtocolAuthorizationActionNotAllowed, `Inbound message action Records${incomingMessageMethod} by author ${incomingMessage.author} not allowed.`);
-        });
-    }
-    /**
-     * Verifies that writes adhere to the $size constraints if provided
-     * @throws {Error} if size is exceeded.
-     */
-    static verifySizeLimit(incomingMessage, ruleSet) {
-        const { min = 0, max } = ruleSet.$size || {};
-        const dataSize = incomingMessage.message.descriptor.dataSize;
-        if (dataSize < min) {
-            throw new DwnError(DwnErrorCode.ProtocolAuthorizationMinSizeInvalid, `data size ${dataSize} is less than allowed ${min}`);
-        }
-        if (max === undefined) {
-            return;
-        }
-        if (dataSize > max) {
-            throw new DwnError(DwnErrorCode.ProtocolAuthorizationMaxSizeInvalid, `data size ${dataSize} is more than allowed ${max}`);
-        }
-    }
-    static verifyTagsIfNeeded(incomingMessage, ruleSet) {
-        if (ruleSet.$tags !== undefined) {
-            const { tags = {}, protocol, protocolPath } = incomingMessage.message.descriptor;
-            const _a = ruleSet.$tags, { $allowUndefinedTags, $requiredTags } = _a, properties = __rest(_a, ["$allowUndefinedTags", "$requiredTags"]);
-            // if $allowUndefinedTags is set to false and there are properties not defined in the schema, an error is thrown
-            const additionalProperties = $allowUndefinedTags || false;
-            // if $requiredTags is set, all required tags must be present
-            const required = $requiredTags || [];
-            const ajv = new Ajv.default();
-            const compiledTags = ajv.compile({
-                type: 'object',
-                properties,
-                required,
-                additionalProperties,
-            });
-            const validSchema = compiledTags(tags);
-            if (!validSchema) {
-                // the `dataVar` is used to add a qualifier to the error message.
-                // For example. If the error is related to a tag `status` in a protocol `https://example.protocol` with the protocolPath `example/path`
-                // the error would be described as `https://example.protocol/example/path/$tags/status'
-                // without this decorator it would show up as `data/status` which may be confusing.
-                const schemaError = ajv.errorsText(compiledTags.errors, { dataVar: `${protocol}/${protocolPath}/$tags` });
-                throw new DwnError(DwnErrorCode.ProtocolAuthorizationTagsInvalidSchema, `tags schema validation error: ${schemaError}`);
-            }
-        }
-    }
-    /**
-     * If the given RecordsWrite is not a role record, this method does nothing and succeeds immediately.
-     *
-     * Else it verifies the validity of the given `RecordsWrite` as a role record, including:
-     * 1. The same role has not been assigned to the same entity/recipient.
-     */
-    static verifyAsRoleRecordIfNeeded(tenant, incomingMessage, ruleSet, messageStore) {
-        return __awaiter(this, void 0, void 0, function* () {
-            if (!ruleSet.$role) {
-                return;
-            }
-            // else this is a role record
-            const incomingRecordsWrite = incomingMessage;
-            const recipient = incomingRecordsWrite.message.descriptor.recipient;
-            if (recipient === undefined) {
-                throw new DwnError(DwnErrorCode.ProtocolAuthorizationRoleMissingRecipient, 'Role records must have a recipient');
-            }
-            const protocolPath = incomingRecordsWrite.message.descriptor.protocolPath;
-            const filter = {
-                interface: DwnInterfaceName.Records,
-                method: DwnMethodName.Write,
-                isLatestBaseState: true,
-                protocol: incomingRecordsWrite.message.descriptor.protocol,
-                protocolPath,
-                recipient,
-            };
-            const parentContextId = Records.getParentContextFromOfContextId(incomingRecordsWrite.message.contextId);
-            // if this is not the root record, add a prefix filter to the query
-            if (parentContextId !== '') {
-                const prefixFilter = FilterUtility.constructPrefixFilterAsRangeFilter(parentContextId);
-                filter.contextId = prefixFilter;
-            }
-            const { messages: matchingMessages } = yield messageStore.query(tenant, [filter]);
-            const matchingRecords = matchingMessages;
-            const matchingRecordsExceptIncomingRecordId = matchingRecords.filter((recordsWriteMessage) => recordsWriteMessage.recordId !== incomingRecordsWrite.message.recordId);
-            if (matchingRecordsExceptIncomingRecordId.length > 0) {
-                throw new DwnError(DwnErrorCode.ProtocolAuthorizationDuplicateRoleRecipient, `DID '${recipient}' is already recipient of a role record at protocol path '${protocolPath} under the parent context ${parentContextId}.`);
-            }
-        });
-    }
-    /**
-     * Checks if the `who: 'author' | 'recipient'` action rule has a matching record in the record chain.
-     * For cross-protocol `of` references (e.g., `"threads:thread"`), matches against both the protocol URI
-     * and the protocol path of the ancestor record.
-     * @returns `true` if the action rule is satisfied; `false` otherwise.
-     */
-    static checkActor(author, actionRule, recordChain, composingDefinition) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const ofValue = actionRule.of;
-            // `of` should always be defined when `checkActor` is called, but guard defensively
-            if (ofValue === undefined) {
-                return false;
-            }
-            let ancestorRecordsWrite;
-            if (isCrossProtocolRef(ofValue) && (composingDefinition === null || composingDefinition === void 0 ? void 0 : composingDefinition.uses) !== undefined) {
-                // Cross-protocol `of`: resolve alias to protocol URI and match by both protocol + protocolPath
-                const parsed = parseCrossProtocolRef(ofValue);
-                if (parsed !== undefined) {
-                    const refProtocolUri = composingDefinition.uses[parsed.alias];
-                    if (refProtocolUri !== undefined) {
-                        ancestorRecordsWrite = recordChain.find((msg) => msg.descriptor.protocol === refProtocolUri && msg.descriptor.protocolPath === parsed.protocolPath);
-                    }
-                }
-            }
-            else {
-                // Local `of`: match by protocolPath only (same protocol assumed)
-                ancestorRecordsWrite = recordChain.find((msg) => msg.descriptor.protocolPath === ofValue);
-            }
-            if (ancestorRecordsWrite === undefined) {
-                // No matching ancestor found in the record chain. Return false to allow the caller
-                // to continue evaluating other action rules that might authorize the request.
-                return false;
-            }
-            if (actionRule.who === ProtocolActor.Recipient) {
-                // author of the incoming message must be the recipient of the ancestor message
-                return author === ancestorRecordsWrite.descriptor.recipient;
-            }
-            else { // actionRule.who === ProtocolActor.Author
-                // author of the incoming message must be the author of the ancestor message
-                const ancestorAuthor = (yield RecordsWrite.parse(ancestorRecordsWrite)).author;
-                return author === ancestorAuthor;
-            }
-        });
-    }
-    /**
-     * Determines the timestamp that governs which protocol definition version applies to the given RecordsWrite.
-     * For an update, this is the initial write's `messageTimestamp` (the protocol version is locked at creation time).
-     * For a new initial write, returns `undefined` — the latest protocol definition should be used because the
-     * record is being created now and must conform to the current protocol rules.
-     */
-    static getGoverningTimestamp(tenant, incomingMessage, messageStore) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const existingInitialWrite = yield ProtocolAuthorization.fetchInitialWrite(tenant, incomingMessage.message.recordId, messageStore);
-            if (existingInitialWrite !== undefined) {
-                // update case: use the initial write's timestamp
-                return existingInitialWrite.descriptor.messageTimestamp;
-            }
-            // initial write case: validate against the latest protocol definition
-            return undefined;
-        });
-    }
-    static getTypeName(protocolPath) {
-        return protocolPath.split('/').slice(-1)[0];
-    }
 }
 //# sourceMappingURL=protocol-authorization.js.map